Does Your Enterprise Have A Security Gap?

advertisement
HDI Sacramento Chapter
August 16th, 2011
Does Your Enterprise Have A
Security Gap ?
Fast • Reliable • Certified • Secure • Data Recovery
Agenda
What Is The Data Security Gap?
How Can You Close That Gap?
Questions & Answers
Fast • Reliable • Certified • Secure • Data Recovery
All Storage Devices Fail
Fast • Reliable • Certified • Secure • Data Recovery
I NEED MY DATA NOW!
Fast • Reliable • Certified • Secure • Data Recovery
Hardware Failure Requires
Professional Data Recovery
Main Causes of Device Failure and Data Loss
Fast • Reliable • Certified • Secure • Data Recovery
Who Can You Trust?
Fast • Reliable • Certified • Secure • Data Recovery
The Risk of Choosing the
Wrong Recovery Vendor
Ponemon Institute Survey:
• First national study on security of data recovery operations
• 636 IT Security/IT Support professionals surveyed
• All verticals, including business and government
• Focus on third-party data recovery services
• Goal: Confirm or dispel belief that confidential and
sensitive data may be at risk when in the possession of a
disreputable third-party data recovery service provider.
Fast • Reliable • Certified • Secure • Data Recovery
Myth Buster:
“We never send data out for recovery!”
Source: The Ponemon Institute Study: “Security of Data Recovery Operations”
Fast • Reliable • Certified • Secure • Data Recovery
Surprise Factor:
Loss of Sensitive Data Drives Vendor Engagements
Source: The Ponemon Institute Study: “Security of Data Recovery Operations”
Fast • Reliable • Certified • Secure • Data Recovery
Known Factor:
Data Recovery Vendors Selected by IT Support
Source: The Ponemon Institute Study: “Security of Data Recovery Operations”
Fast • Reliable • Certified • Secure • Data Recovery
Risk Factor:
IT Security Not Involved In Selection Process
Source: The Ponemon Institute Study: “Security of Data Recovery Operations”
Fast • Reliable • Certified • Secure • Data Recovery
Data Recovery Providers
Could Put Your Data at Risk
83%
19%
43%
reported a breach
breached at data recovery vendor
due to vendor’s lack of security protocols
Source: The Ponemon Institute Study: “Security of Data Recovery Operations”
Fast • Reliable • Certified • Secure • Data Recovery
The Smoking Gun
Fast • Reliable • Certified • Secure • Data Recovery
Closing the
Data Security Gap
Fast • Reliable • Certified • Secure • Data Recovery
New NIST Guideline:
Proper Security Vetting
NIST Special Publication (SP) 800-34
 Updated language to Section 5.1.3
“Organizations may use third-party vendors to recover data from failed
storage devices. Organizations should consider the security risk of having
their data handled by an outside company and ensure that proper security
vetting of the service provider is conducted before turning over equipment.
The service provider and employees should sign non discloser agreements,
be properly bonded, and adhere to organization-specific security policies."
Source: Contingency Planning Guide for Federal Information Systems, Section 5.1.3: Protection of Resources
Fast • Reliable • Certified • Secure • Data Recovery
SIG/AUP Auditing Tools
BITS/Financial Roundtable/Shared Assessments
• Standardized Information Gathering (SIG) tool (SIG.V6)
updated October, 2010
Do third party vendors have access to Scoped Systems and Data? (backup
vendors, service providers, equipment support maintenance, software
maintenance vendors, data recovery vendors, etc)? If so, is there:
• Security review prior to engaging their services (logical, physical, other corp controls)
•
•
•
•
Security review at least annually, on an ongoing basis
Risk assessments or review
Confidentiality and/or Non Disclosure Agreement requirements
Requirement to notify of changes that might affect services rendered
Fast • Reliable • Certified • Secure • Data Recovery
FDIC Vendor Mgt Guidelines
FDIC
• Action items discussed
• Internal memo to be distributed to FDIC Examiners
• Letter to be distributed to Financial Institutions
• Updates to FFIEC handbook
Fast • Reliable • Certified • Secure • Data Recovery
Risk Points During
Data Recovery






Negligent or unethical data recovery technicians
Unprotected networks housing restored data files
Lost or compromised data during transit
Switch-up of client data
Improper disposal of unwanted storage devices
Recovered data returned with viruses or malware
Fast • Reliable • Certified • Secure • Data Recovery
Vet Your Data Recovery Vendors
Fast • Reliable • Certified • Secure • Data Recovery
Checklist for Vetting
Data Recovery Vendors
Demand Proof:
Proof of internal information technology controls and data security
safeguards, such as SAS 70 Type II audit reports
 Certification by leading encryption software companies
 Proof of chain-of-custody protocols and certified secure network
 Vetting and background checks of all employees
 Secure and permanent data destruction when required
 Use of encryption for data files in transit
 Proof of a certified ISO-5 (Class 100) Cleanroom

Source: The Ponemon Institute Study: “Security of Data Recovery Operations”
Fast • Reliable • Certified • Secure • Data Recovery
DriveSavers Best Practices
Technology
Certifications
Protocols
SAS 70 Type II
Audit Reports
Certified ISO-5
(Class 100) Cleanroom
Certified by Leading
Encryption Vendors
DOD Approved
Data Destruction
Authorized by leading
Data Storage Mftrs
Fast • Reliable • Certified • Secure • Data Recovery
We Can Save It!
Fast • Reliable • Certified • Secure • Data Recovery
Choose Your Service Option
Service Level
Turnaround
Description
Economy
5-7 Business Days
Competes directly with
higher priced Standard
diagnosis/turnaround
times offered by other
companies.
Standard
1-2 Business Days
Fastest Standard
Turnaround time in the
industry.
Completed during
normal business hours.
Priority
ASAP
Recovery begins upon
receipt of the drive—
365 days of the year,
including nights,
weekends and holidays.
Fast • Reliable • Certified • Secure • Data Recovery
Live 24/7 Support
Fast • Reliable • Certified • Secure • Data Recovery
Approved GSA Contractor #GS-35F-0121S
• Annual SAS 70 II Security Audits
• High Security Service Available
• Certified to recover encrypted data
• DOD-approved data erasure process
Fast • Reliable • Certified • Secure • Data Recovery
Recap
 Data loss does occur
 Data recovery companies are used often
 Critical data is at risk of breach
 You can close the security gap
 Vet the security protocols of data
recovery service providers
Fast • Reliable • Certified • Secure • Data Recovery
Q&A
Fast • Reliable • Certified • Secure • Data Recovery
Thank you
Michael Hall, CISO
[email protected]
415.382.8000 ext 126
Rob Matheson
Corporate Account Executive
[email protected]
415.382.8000 ext 136
Fast • Reliable • Certified • Secure • Data Recovery
Download
Related flashcards
Create Flashcards